Month: December 2010

Information security professionals can learn a lot from WikiLeaks. It seems that there are always new lessons available to us every day. One topic that came to light early in the release of the cables was that most of the information seemed rather trivial, which made it difficult to see why politicians were so upset over the incident.

The Center for Public Integrity has an excellent piece on examples of over classifying data that is in fact trivial. According to the Information Security Oversight Office report , the government spent $8.8 billion on safeguarding classified information.

“Over-classification is not in the interest of the government,” said Bosanko. “Finite resources are best deployed when they are focused on the information that truly requires protection.”

Over-classification a problem that creates inefficiencies, weakens accountability, and financially weakens an organization. Some security professionals believe that security for the sake of security defines what security is. This may be done to create perceived job security or because the individual believes it is the right thing to do. If sometimes there is a temptation to label all data as the most important and critical for simplicity. In the end this creates unnecessary expense in both equipment and personnel resources. The proper thing for all security professionals to do is to deliver a customized solution that suits the customer or employer needs.

Security professionals should be aware of the organization’s operating objectives. In an economic downturn this may mean under protecting some assets in favor of deploying finite resources to protect the organization’s critical areas. Even in good times the security professional should accept that all businesses exist to provide benefits to the shareholders. This includes government because the taxpayers are the equivalent of shareholders.

The security professional should be prepared to interact with various business unit heads to get their view of what is important. Each department head or staff member will have their own opinions and these should be collected for senior management review. Senior management with the assistance of the security professional will determine the appropriate level of protection needed for the organization’s data. This may be driven by the sensitivity of the data or it may be a financially driven decision where a total budget number is given in the organization must find a way to secure the most critical information only.

Under the ISO 27,001 standard, "top management" should be involved in the security and risk decisions made by the organization. The security professional should work with top management to find the best solution that suits the organization in terms of both costs and efficiency. Security professionals can increase their visibility and bring value to their organizations through partnering with upper management.

The environmental remediation company RINO International Corporation has been delisted due to some questionable business practices. RINO had a recent peak of around $20 near the beginning of November and dropped like a rock since then. If you were an owner of RINO between May 28, 2008 and Nov 17, 2010 you have until January 14, 2011 to get in on the action. The class action alleges that :

That the Company did not enter into at least two customer contracts and 20-40% of the Company’s other contracts had problems for which it reported revenues during its 2008 and 2009 fiscal years

That the Company’s reported revenues for fiscal year 2009 to the SEC that were inflated by 94%

That the Company’s management was draining cash from the Company for its own business and personal uses

That the Company lacked adequate internal and financial controls

That, as a result of the foregoing, the Company’s financial results were materially false and misleading at all relevant times.

If you are a shareholder who purchased RINO securities during the Class Period, you have until January 14, 2011 to ask the Court to appoint you as lead plaintiff for the class. A copy of the complaint can be obtained at www.pomerantzlaw.com . To discuss this action, contact Rachelle R. Boyle at rrboyle@pomlaw.com or 888.476.6529 (or 888.4-POMLAW), toll free. Those who inquire by e-mail are encouraged to include their mailing address and telephone number.

This is a serious blow to the environmental movement since RINO was one of the companies that makes equipment to reduce pollution from industrial processes. If the first issue is true, then RINO was doing a lot less for the environment than they were leading shareholders to believe.

We were bullish on the stock earlier in the year and had identified several limited gain/risk strategies. We had used a 13/12 Bull Put Vertical in October cash in on an upward movement of the stock. Our max loss would have been limited $100 per contract had RINO gone against us. Imagine going from $20/share down to $2. Having an exit strategy using stop loss orders or put options is essential when bad news breaks. Using option credit spreads allows you to exit the stock each month while still collecting premium.

China Integrated Energy appears to be on a decline. The chart shows several technical reasons to be bearish.

The stock is making lower highs and lower lows.

Persons Proprietary Signal has given us a sell indicator along with an impending crossover

MACD is also showing lower highs and lower lows. It is about to crossover.

StochasticSlow has lower highs and lower lows. It is about to crossover.

RSI Wilder has lower highs and lower lows. The past two days are declining.

MoneyFlow has lower highs and lower lows. The past 3 days are declining. This means money is continuing to move out of this stock.

The Linear Regression Channel shows a mean price of 7.87 and a top/bottom of 11.20/4.54. The channel is also down trending. Prices should gravitate toward the mean of the channel. Close to the outer edges means the stock is very expensive or very cheap in relation to the mean.

CBEH doesn’t appear to be available for short selling. One approach is to use options. While it is possible to go buy a FEB 7.50 put the cost of the put can be lowered by selling a Feb 5.00 put against it. This may be a reasonable strategy since the lower regression line is at 4.54. The strategy allows flexibility for legging out of the trade by selling the long FEB 7.50 and holding the FEB 5.00. There is also an opportunity to sell the FEB 7.50 and accept assignment for 5.00/share with the short put if it is barely ITM. There does appear to be some support around the 6.05 low, so getting an options assignment may not be an issue.

Long term CBEH might be a worthwhile stock to hold. The balance sheet shows increasing total assets and decreasing liabilities. The income statement also shows an increase in Total Net Income and EPS. The complete 2009 Annual Report will have even more information to research. At 4.54 this could be worth getting into for a few weeks or months.

Harry de Gorter and Jerry Taylor have written a nice piece on the need to let ethanol protectionism expire. There is a current subsidy of 45 cents per gallon and an import tariff of 54 cents per gallon. Even Al Gore admits that ethanol is not what we had hoped for.

The House passed HR 4853 on December 17 and it was signed by President Obama that day.

Section 701 extends $1 per gallon tax credit through 2011 and also add a credit for diesel fuel made from biomass.

Section 704 excludes black liquor ethanol from tax credits

Section 708 extends the subsidies and tariffs on ethanol until 1/1/2012.

We know ethanol producers will be receiving special treatment from the government we can try to use that information for our own purposes. We know that some of these ethanol producers will not be going out of business immediately, but are they a good place to park your money? The ethanol industry has been lobbying for subsidies because they are not operating from a position of strength. On 12/20/2010 these might see a rise in price because of the news. Green Plains Renewable Energy bounced off its lower Bollinger Band has started to hove upwards to the upper band at around 11.50. Green Plains managed to post 19.79M in earnings in FY2009. Green Plains might be worth considering if it breaks out into an upward trend after being in a tight range since dropping off in early November.

Pacific Ethanol Inc on the other hand posted a net income around –300M. The chart also shows us a downward trend after the gap up continuing a downward trend. Pacific Ethanol and the other companies in this space look like good short sell opportunities since they are still in a downward trend.

China Integrated Energy is not in the US and not affected by the subsidies or tariffs. They have a nice balance sheet and a very nice PEG Ratio of 0.28. For some reason the Chinese manage to stay ahead of the US in terms of alternative fuel production.

In an ideal libertarian world there would be no subsidies or tariffs and the people would keep more of their money, rather than have it distributed to other parties. I am not questioning the wisdom behind extending the subsidies for ethanol producers. If we disagree with what the government does with our tax money, we have the option of taking action that makes us whole again.

The clever combatant imposes his will on the enemy, but does not allow the enemy’s will to be imposed on him. – Sun Tzu

Green Plains Renewable Energy Inc

BioFuel Energy Corp

Pacific Ethanol Inc

Earnings: -308.15 M

Rex American Resources Corp

Downward channel. Stay away until it turns up or go for a short sell at the top of the channel.

China Integrated Energy

Broken out of the downward trend. Potential entry point if it holds.

As always do your own research. These examples are educational tools used to teach chart reading. Other evaluations should seriously be considered before buying or selling any investment.

In our last set of trade ideas, Trading on Fear with WikiLeaks, we had picked a few equities in the DLP and ERM space that might be interesting plays for the government sector. Currently the military is using something called Host Based Security System for endpoint protection. Apparently HBSS is a McAfee product that may have been slightly customized. The contract for end point protection was awarded in 2006 so it is understandable that they are looking for better solutions. There is a deployment of Bivio Networks appliances for Deep Packet Inspection (DPS) at certain sensitive locations on the network. Clearly the military is moving in the right direction and it is logical that they will eventually purchase some form of host based DLP agent. When the request for bid proposals is released our picks might be a growth opportunity. Other governments will also be seeking to secure themselves against any leaks in the future so this can present itself as a growth opportunity as well. Bivio Networks is privately held; however, they are partially owned by Goldman Sachs(GS). Much like buying Intel to get exposure to McAfee, buying some of the big finance houses is a way to get exposure to the security space while being fairly diversified.

The military has implemented a new policy stating removable media can not be used on SIPRNET computers. While this may seem like a good thing the implementation may be lacking. The private sector has warned of the exposure caused by removable media for years. From a practical stand point banning all removable media is nothing more than a good sounding idea.

“Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution,” the document admits. But “military personnel who do not comply … may be punished under Article 92 of the Uniformed Code of Military Justice.” Article 92 is the armed forces’ regulation covering failure to obey orders and dereliction of duty, and it stipulates that violators “shall be punished as a court-martial may direct.”

The military understands that efficiency will be impacted by their decision and they appear to be sticking by their guns on disciplining anyone who disobeys orders. The key point here is a loss of efficiency via this policy . Private sector businesses rely on efficiency to maintain profitability. Before implementing such a policy at your business, it is important to determine if it is the right thing to do. The CFO is going to be interested in the impact any proposed policy has on the bottom line. The loss of efficiency is something that will have to be weighed against security. Based on the content of the Wired.com article it appears that no preventative technological controls are going to be used, otherwise punishing soldiers with a courts martial would not be mentioned. The best solution would be to use technology to disable removable media as a supplement to the policy. Policies that depend on the honesty of the workforce are seldom successful. The anonymous sources in the article that intend to keep using removable media show that policies alone do not equal security.

In a previous post I had discussed how security professionals can benefit from WikiLeaks. Today we we will take a look at how the security industry can benefit from WikiLeaks. Physical security procedures can help prevent sensitive data from leaving a secure facility; however, tracking and auditing your data is equally important. The category of software that can help us out in this case is called Data Loss Prevention (DLP). Most of these solutions involve a discovery component that finds all of your files on servers and workstations/laptops. This is useful provided you know what you have and who should have it. For example, the spreadsheet with employee salaries should probably be in payroll and HR only. If someone in engineering has the complete list, that is probably a bad thing. Government organizations can benefit from this more easily since workers are given security clearances and checking the document contents for a security classification, then matching it against a worker profile can be a quick way of checking for leaks. This does not prevent personnel with access to the data from misusing it. Some DLP products work by monitoring files traveling across the network for content that has been flagged by an administrator. Copying files to removable media or printing can also be flagged for an alert.

Enterprise Rights Management (ERM) software is similar to the Digital Rights Management (DRM) copy protection that was found on MP3 music in the early days of the iTunes store, and what you find on eBooks from Amazon and other retailers. ERM can be applied to Microsoft Office documents and email. It works by encrypting the documents and only decrypting them if an authorized user or computer accesses them. If someone were to steal an ERM protected document it simply would not open on an unauthorized computer. It is also possible to restrict documents by department within a company, but that involves fully understanding the complexities of who should have access to what. ERM can also prevent printing, copy & paste, and print screen if needed. Several reference customers I have talked to simply setup their ERM to prevent opening their files on computers not owned by the company. Employees could carry documents on USB drives, but could only access them from company computers. ERM and DLP might have prevented WikiLeaks from happening. Oracle has a nice video of an ERM product they acquired.

Most of the companies in the DLP and ERM space are privately held and the larger ones have been absorbed by other companies in the security space. Oracle & Microsoft are also companies that make many software products other than just their ERM offerings. Intel acquired McAfee who also had an ERM product. Most of the examples below are from Gartner’s Magic Quadrant research on the DLP space and have and upward trend in the 50 and 100 SMA. Will DLP and ERM become an important market in 2011 and will these companies be able to take advantage of increased data loss awareness caused by WikiLeaks? Traders may want to keep an eye on these companies if DLP or ERM take off. Well diversified companies such as EMC or Oracle may see some additional revenue from their acquisitions of other companies.

The Tao Te Ching brings us Yin and Yang, two opposites that are a part of the ever changing universe. The misfortunes of the State Department (Yin) can be transformed into a victory for the security profession (Yang). Or to simply put it, when life gives someone else lemons, you take their lemons and make lemonade. One important aspect of Cable Gate is that it has brought attention to information security and the need for information security. Security professionals across the world can expect organizations to begin asking if they are vulnerable to the same thing. And more importantly, what to do about it. This is a grand opportunity to bring your skills to the table and represent the profession when your employer or customers turn to you for help . It does not matter if you are an engineer, a consultant, or management. When a breach happens the spotlight is on security and it is our time to sing.

Technology Is A Tool Not The Solution

In the world of information security it is all too easy to propose technology solutions that are not the whole solution. The technology can be a part of the solution, but we must realize that there is no silver bullet and that the truly motivated will find a way around any barrier. A solution is a combination of leadership, with a strategy, direction, and a team that can bring it all together. The most important component is leadership. Leadership does not have to come from the top of the organization. Security professionals by nature have to interface with other professionals in finance, public relations, marketing, and other areas. Be the expert in what you know, but do not discount the knowledge that other team members bring because they are a part of the solution.

Know That Everything Can Not Be Fixed

Leadership is also about knowing what can and can not be done. Not every exposure can be fixed. Not every risk can be effectively mitigated. Not every budget is unlimited. Not everyone wants to hear that no matter what you do, there is not a silver bullet. Setting expectations with other professionals and the public is extremely important. Security is about providing reasonable protection against threats. Sure, it may be possible to secure something by sending all the workers home and burning everything that is left. Even then you can not be sure that everything is gone. The stakeholders in the business would certainly object to shutting everything down. They would also object to a more pleasant picture than an army of security professionals could paint. Reasonable protection is about compromise between all stakeholders. This means that security professionals may also have to compromise. That does not mean that security is unimportant. Understanding that fact brings us back to the solution with many professionals working together and to teamwork.